If MFA is not enabled and the user credentials are valid, the user is authenticated.

If MFA is enabled and the user credentials are valid, the user is prompted to select a second authentication factor. The user selects one (e.g., Google Authenticator or Okta Verify) and obtains a request for a validation code. If the code sent back to the client is correct, the user gains access.

Note: Some applications or services (i.e. AWS Workspace) do not actually provide an MFA selection upon login, but instead ask for the MFA code in addition to the user's username and password. In the event that the user has enrolled in more than one MFA (i.e. Okta Verify and Yubikey), there is no need for the user to specify which they are using – their entered code will be processed by each handler until it is validated successfully.

RADIUS agent versions 2.2.0 and later are enabled with SSL pinning, providing an extra layer of security. SSL pinning is not enabled by default for current users upgrading to the new agent. If upgrading from an agent version prior to v2.2.0, please, do the following after the upgrade.

Warning: The following steps should not be performed for agents on a network containing a web security appliance.

Open the folder where the Okta RADIUS agent resides. The default installation folder is C:\Program Files (x86)\Okta\Okta RADIUS Agent\.

From this folder, navigate to current\user\config\radius\config.properties. Before making changes, we recommend creating a back up of this file. Using a text application such a Notepad, open the file current\user\config\radius\config.properties residing in the Okta RADIUS agent installation folder.

Append the following line to the end of the file: ragent.ssl.pinning = true

Save the file.

Restart the Okta RADIUS Agent service using the available Windows administrative tools.

This process restricts agent communication to only servers which can present valid certificates with public keys known to the new agents.

Note: See below for information on other configuration properties settings.

If setting this up to test on your Okta Preview Sandbox org, you'll need to enter the complete URL for your org. For example: https://mycompany.oktapreview.com

Enter Subdomain – For example, if you access Okta using https://mycompany.okta.com, enter "mycompany", as described below.

For Windows Server 2008 R2 Core only: Open a browser and add the provided URL into the address field. This authorizes the installer to use Okta.

Click the Next button to continue on to an Okta Sign In page.

Sign into Okta on the Sign In screen.

Click the Allow Access button.

The confirmation screen appears. Click the Finish button to complete the installation.

Note: If during the agent installation you encounter Error code 12: Could not establish trust relationship for the SSL/TLS service channel, ensure that you are running the latest version of the agent as older agent versions do not support TLS 1.2.

Additional Property Configurations

You can override the defaults on the following properties, if desired.

Open the folder where the Okta RADIUS agent resides. The default installation folder is C:\Program Files (x86)\Okta\Okta RADIUS Agent\.

From this folder, navigate to current\user\config\radius\config.properties. Before making changes, we recommend creating a back up of this file. Using a text application such a Notepad, open the file current\user\config\radius\config.properties residing in the Okta RADIUS agent installation folder.

Configure any of the properties shown below, as desired.

When done, save the file.

Any changes are effective after restarting the Okta RADIUS Agent service using the available Windows administrative tools.

Property

Description

Default

ragent.num_max_http_connection

The maximum number of HTTP connections in the connection pool

20

ragent.num_request_threads

The number of authentication worker threads available for processing requests

15

ragent.total.request.timeout.millisecond

The maximum time the RADIUS agent is allowed to process a UDP packet after it has arrived from the RADIUS client

60,000

ragent.okta.request.max.timeout.millisecond

The socket timeout to set on the Okta API request. This property only applies if configured; otherwise, it is computed dynamically based on the total request timeout setting.

Example: If the agent times out after 90 seconds, add the following line to the config file:

When you uninstall and reinstall your RADIUS agent, you must decide whether or not you also want to remove the old Okta API token from your system. If you are performing an upgrade, you are not required to do so. To remove the API token, you must delete the Okta RADIUS Agent folder, and deactivate and remove your old RADIUS agent.

Uninstalling the RADIUS Agent

Uninstalling your RADIUS agent leaves the agent configuration data on your hard drive. To remove the configuration data, go to \Program Files (x86)\Okta and delete the Okta RADIUS Agent folder. Deleting this folder removes the agent configuration data and the API Token from your hard drive. The API token for the server is still valid in Okta so it is important to remove the configuration data.

Reinstalling the RADIUS Agent

Installing the RADIUS agent does not overwrite the configuration data in the Okta RADIUS Agent folder. If you want to reinstall and create a new API token, make sure you delete the Okta RADIUS Agent folder (as described above) before you reinstall the RADIUS agent. Then perform the procedure in Installing the Okta RADIUS Agent.

The RADIUS agent is not receiving traffic or authentication is failing.

The RADIUS agent must be able to listen on the UDP ports that are being used by your RADIUS clients. Firewalls can impede that communication if the necessary ports are not open. If you are unable to authenticate over RADIUS, please verify that all firewalls, including any Windows firewalls, are not filtering this traffic. The standard utilized port is UDP 1812, but other ports can be used.